ASP.NET "Custom" Security

---

• From: "RMT" <nospam@xxxxxxxxxx>
• Date: Mon, 5 Jun 2006 14:33:10 +0100

---

Hi, my application goes like this:



Windows Forms (client)
|
|
|
ASP.NET (IIS 5.0) or APACHE (vanilla SOAP for example)
|
|
|
SQL Server, DB2, MySQL, Oracle, (whatever)



My schema on the database contains a "Users" table, which contains bits set
or cleared according to whether that user can execute the given method, e.g.
"dbo.DeleteNode" stored procedure can only be executed by a user with this
bit set in a field in the Users table. I don't want to use ASP.NET
security model, basically because I will be writing a generic SOAP concrete
class to be returned from my ConnectionFactory class and I won't know it's a
Windows server at the other end. What I want to do, if you people think it
sounds reasonable, is to just pass a username/password with every method I
attempt to execute, to be authenticated by the stored procedure against the
database.

Question 1: Is this a reasonable security model? i.e. just a single U/P
evaluated inside a stored procedure on the database.
Question 2: In order to pass the username/password safely, I have to host it
with HTTPS, correct?
Question 3: If I don't use HTTPS, how can I achieve encryption/decryption?
Question 4: What are the implications for allowing anonymous access, but
stopping unauthorized access inside the stored procedure?
Question 5: Is this a flimsy model and should I have another layer of
security somewhere?
Question 6: What if as well as sending a username/password, I sent a network
card address (unique!)

To be honest, I find security a nightmare to think about - especially with
all of the options available, it's complexity in some scenarios and what
goes on in the underlying system that I don't see (ie. Windows
Authentication, how does that work?). I have a large brain it's true, but
the Security Lobe is rather atrophied. Can I have some advice here please?

Thanks,



Robin.



.

---

• Follow-Ups:
  • Re: ASP.NET "Custom" Security
    • From: Joe Kaplan \(MVP - ADSI\)

• Prev by Date: RE: What membership/role providres should I use?
• Next by Date: RE: request page I can't have -> goes to login
• Previous by thread: RE: QuickStartMembershipSqlProvider vs AspNetSqlMembershipProvider
• Next by thread: Re: ASP.NET "Custom" Security
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Cannot open database requested in login ... Assuming your goal is to use windows integrated ... security then leave out the username ... ASP.NET service) as a login to SQL Server and with access to the ... >> you should see security tab, change authentication to "SQL ... (microsoft.public.sqlserver.security) Re: Reason: Not associated with a trusted SQL Server connection. ... but does that mean ASP uses the IUSR account to access the SQL ... > There are two sets of authentications: Windows, and SQL Server. ... If using integrated security, ... (microsoft.public.inetserver.asp.db) Re: Is there any way to prevent hacker trying to guess sa password? ... the Space Shuttle has some very strong windows -- get my point. ... doubt THE single most significant security flaw -- this is the green light ... spoofing was known about when the protocol was introduced and Microsoft did ... > need to use some other mechanism to connect to SQL Server. ... (microsoft.public.sqlserver.security) Re: MDF file level security from copying ... Sounds to me as if your first issue is the physical security of the machines ... hosting SQL Server. ... Neither Windows 98 nor Windows ME were meant as enterprise level operating ... >>BTW, if you are concerned about the database schema, as ... (microsoft.public.sqlserver.security) using the user function in Remote Access ... I am using SQL server 8 and windows 2003. ... I have a stored procedure which shows records for the current user logged. ... using remote access, this no longer worked. ... (microsoft.public.sqlserver.server)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)